Sign releases with something stronger than SHA1

[g2p]

SHA1 is now rejected by sequoia and rustup

See https://www.reddit.com/r/rust/comments/10qlf1q/nightly_dc1d9d50f_20230131_signature_verification/ and https://github.com/rust-lang/rustup/issues/3185

Steps to reproduce the issue:

cargo install sequoia-sqv
curl -O https://github.com/rust-lang/rustup/blob/master/src/rust-key.pgp.ascii
curl -O https://static.rust-lang.org/dist/channel-rust-nightly.toml
curl -O https://static.rust-lang.org/dist/channel-rust-nightly.toml.asc
sqv --keyring rust-key.pgp.ascii channel-rust-nightly.toml{.asc,}
Signing key on 108F66205EAEB0AAA8DD5E1C85AB96E6FA1BE5FE is not bound:
           No binding signature at time 2023-02-01T00:44:45Z
  because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
  because: SHA1 is not considered secure since 2023-02-01T00:00:00Z

To fix: switch to a stronger digest Not sure where gpg is called exactly, somewhere in one of the promote-release scripts?

[g2p]

I think the issue is with the Rust release key itself, which uses SHA-1 digests:

gpg --list-packets --verbose < src/rust-key.pgp.ascii |grep digest.algo

algo 2 is SHA-1: https://datatracker.ietf.org/doc/html/rfc4880#section-9.4

Should switch to algo 8, 9 or 10 (SHA-256, SHA-384 OR SHA-512).

The signature itself uses SHA-512:

gpg --list-packets --verbose < channel-rust-nightly.toml.asc |grep digest.algo
digest algo 10, begin of digest 19 b5

https://davesteele.github.io/gpg/2014/09/20/anatomy-of-a-gpg-key/

[g2p]

Apparently it is possible to update the digest algorithms without changing the key-id:

https://gitlab.com/sequoia-pgp/keyring-linter

Although it might be good to consider key rotation support later, to future-proof against any other issues the key might have.